mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
71b70a2b8c
As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report
108 lines
2.2 KiB
Bash
108 lines
2.2 KiB
Bash
# CIS Debian 7 Hardening common functions
|
|
|
|
#
|
|
# File Backup functions
|
|
#
|
|
backup_file() {
|
|
FILE=$1
|
|
if [ ! -f $FILE ]; then
|
|
crit "Cannot backup $FILE, it's not a file"
|
|
FNRET=1
|
|
else
|
|
TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" )
|
|
TARGET="$BACKUPDIR/$TARGET"
|
|
debug "Backuping $FILE to $TARGET"
|
|
cp -a $FILE $TARGET
|
|
FNRET=0
|
|
fi
|
|
}
|
|
|
|
|
|
#
|
|
# Logging functions
|
|
#
|
|
|
|
case $LOGLEVEL in
|
|
error )
|
|
MACHINE_LOG_LEVEL=1
|
|
;;
|
|
warning )
|
|
MACHINE_LOG_LEVEL=2
|
|
;;
|
|
ok )
|
|
MACHINE_LOG_LEVEL=3
|
|
;;
|
|
info )
|
|
MACHINE_LOG_LEVEL=4
|
|
;;
|
|
debug )
|
|
MACHINE_LOG_LEVEL=5
|
|
;;
|
|
*)
|
|
MACHINE_LOG_LEVEL=4 ## Default loglevel value to info
|
|
esac
|
|
|
|
_logger() {
|
|
COLOR=$1
|
|
shift
|
|
test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
|
|
builtin echo "$*" | /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info"
|
|
SCRIPT_NAME_FIXEDLEN=$(printf "%-25.25s" "$SCRIPT_NAME")
|
|
cecho $COLOR "$SCRIPT_NAME_FIXEDLEN $*"
|
|
}
|
|
|
|
cecho () {
|
|
COLOR=$1
|
|
shift
|
|
builtin echo -e "${COLOR}$*${NC}"
|
|
}
|
|
|
|
crit () {
|
|
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
|
BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}"
|
|
else
|
|
if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi
|
|
fi
|
|
# This variable incrementation is used to measure failure or success in tests
|
|
CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1))
|
|
}
|
|
|
|
warn () {
|
|
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
|
BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}"
|
|
else
|
|
if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi
|
|
fi
|
|
}
|
|
|
|
ok () {
|
|
if [ ${BATCH_MODE:-0} -eq 1 ]; then
|
|
BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}"
|
|
else
|
|
if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi
|
|
fi
|
|
}
|
|
|
|
info () {
|
|
if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi
|
|
}
|
|
|
|
debug () {
|
|
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
|
|
}
|
|
|
|
|
|
#
|
|
# sudo wrapper
|
|
# issue crit state if not allowed to perform sudo
|
|
# for the specified command
|
|
#
|
|
sudo_wrapper() {
|
|
if sudo -l "$@" >/dev/null 2>&1 ; then
|
|
sudo -n "$@"
|
|
else
|
|
crit "Not allowed to \"sudo -n $*\" "
|
|
fi
|
|
}
|
|
|